From c2819963d22b2577e3fcf9a16e6b791d5c6bb54d Mon Sep 17 00:00:00 2001
From: Armin Schrenk <armin.schrenk@skymatic.de>
Date: Fri, 21 Jul 2023 15:34:07 +0200
Subject: [PATCH 1/2] Replace custom actions executing bat files to by quiet
 exec custom actions to surpress shown command prompts

Closes #GHSA-9c9p-c3mg-hpjq

(cherry picked from commit fb1ba6390dfcb7028be0eb051b893b744c0444dc)
---
 dist/win/resources/main.wxs | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/dist/win/resources/main.wxs b/dist/win/resources/main.wxs
index df73b195f7..c940b9f9a5 100644
--- a/dist/win/resources/main.wxs
+++ b/dist/win/resources/main.wxs
@@ -132,11 +132,17 @@
       <CustomAction Id="JpSetARPURLUPDATEINFO" Property="ARPURLUPDATEINFO" Value="$(var.JpUpdateURL)" />
     <?endif?>
 
+    <Property Id="WixQuietExec64CmdTimeout" Value="20" />
+    <!-- Note for custom actions: Immediate CAs run BEFORE the files are installed, hence if you depend on installed files, the CAs must be deferred.-->
     <!-- WebDAV patches -->
-    <CustomAction Id="PatchWebDAV" Impersonate="no" ExeCommand="[INSTALLDIR]patchWebDAV.bat" Directory="INSTALLDIR" Execute="deferred" Return="asyncWait" />
+    <SetProperty Id="PatchWebDAV" Value="&quot;[INSTALLDIR]patchWebDAV.bat&quot;"
+            Sequence="execute" Before="PatchWebDAV" />
+    <CustomAction Id="PatchWebDAV" BinaryKey="WixCA" DllEntry="WixQuietExec64" Execute="deferred" Return="ignore" Impersonate="no"/>
 
     <!-- Special Settings migration for 1.7.0,. Should be removed eventually, for more info, see ../contrib/version170-migrate-settings.ps1-->
-    <CustomAction Id="V170MigrateSettings" Impersonate="no" ExeCommand="[INSTALLDIR]version170-migrate-settings.bat" Directory="INSTALLDIR" Execute="deferred" Return="asyncWait" />
+    <SetProperty Id="V170MigrateSettings" Value="&quot;[INSTALLDIR]version170-migrate-settings.bat&quot;"
+            Sequence="execute" Before="V170MigrateSettings" />
+    <CustomAction Id="V170MigrateSettings" BinaryKey="WixCA" DllEntry="WixQuietExec64" Execute="deferred" Return="ignore" Impersonate="no"/>
 
     <!-- Running App detection and exit -->
     <Property Id="FOUNDRUNNINGAPP" Admin="yes"/>

From 4e3b2e0be03fd564f465af1a8cfe24fae9efb1b8 Mon Sep 17 00:00:00 2001
From: Armin Schrenk <armin.schrenk@skymatic.de>
Date: Fri, 21 Jul 2023 16:50:27 +0200
Subject: [PATCH 2/2] supress non affecting cve

---
 suppression.xml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/suppression.xml b/suppression.xml
index e7cc4ea65e..b7e99d5897 100644
--- a/suppression.xml
+++ b/suppression.xml
@@ -55,4 +55,12 @@
 		<cve>CVE-2022-45688</cve>
 	</suppress>
 
+	<suppress>
+		<notes><![CDATA[
+   		Cryptomator not affected of cve in jackson-databind-2.14.2.jar
+   ]]></notes>
+		<packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$</packageUrl>
+		<cve>CVE-2023-35116</cve>
+	</suppress>
+
 </suppressions>
\ No newline at end of file